A company is implementing a new policy that requires users to authenticate using both a password and a one-time code sent to their mobile phone. What type of authentication factor is the one-time code?
The one-time code is delivered to a device (the phone) that the user possesses, making it a 'something you have' factor.
Why this answer
Authentication factors are categorized as something you know (password), something you have (token or phone), and something you are (biometrics). A one-time code sent to a mobile phone is considered 'something you have' because access to the phone is required. This question tests the classification of multi-factor authentication components.